Re: [Sks-devel] HKPS certificate

[Benny Baumann]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Am 17.05.2015 um 06:52 schrieb Christian Felsing:
> Hi,
> 
> I am wondering, if CAcert would offer CA solutions to handle this
> type of "special" applications. I can imagine a sub CA which offers
> a web service (authenticated by a specific client certificate) to
> sign server certificates for that purpose.
> 
The server certificates issued by CAcert already include the XMPP
server name extensions in the SANs of the certificate as well as the
necessary purpose flags to use them as client certificates. That way
they can be used for authenticating servers to each other (cf. Debian
BTS #747453).

In fact: I'm using CAcert certificates on my server nearly exclusively
(except for the SKS PKI).

The problem with the SKS PKI is the missing CRL/OCSP infrastructure,
which we should strongly encourage Kristian to set up ASAP if he wants
to maintain his own root. That's something CAcert COULD provide as
part of an (special kind of) Organization Assurance in a new Policy
(maybe in a new subroot), BUT CAcert has a quite strong stance on not
allowing subroots that are not maintained by us. Also the way
Organization Assurance is implemented right now you won't get domains
outside your organization included in certificates. But this
limitation could be resolved with a CPS change introducing support for
HA server pools - which might be of interest outside the SKS pool.

> Christian
> 
> 
> Am 16.05.2015 um 23:36 schrieb Benny Baumann:
>> Which lead to the situation that I specifically need to disable
>> OCSP stapling in my nginx for those 3 domains.
> 

Kind regards,
Benny Baumann
CAcert SoftWare Assessment Team
CAcert OpenPGP SKS Admin Team*
CAcert Infrastructure Team

*Yes, CAcert has its own SKS server. It's part of the normal network,
but we asked Kristian to not include it in the pool (for reasons).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVWFY+AAoJEPHTXLno4S6tz2wQAKhvO6gysVpSfkP9b2e4pu2d
mA5yhu2BgSzRoQSOgzlGU/XLY4kZ8whnUujDBbwKcRWggkhkpTJw3D07oWCfnaxd
T/YnrQEQQKLlbvX2jDEN19CEYLMutNwhAptw4RPh0fef3s24Gb4Dog1J3YAP2PF1
hogjbU4afN/TgCS9dSdRIaGgFzaW7agnRC8ZMZWS1MveVb9rx75AFqNjG6skRQq7
V3NE/fZIEH7LEmzvEF2yqYdtI9J6DA0Jp4zQhO+9fkLnX2p7gZsZVTFTvTgmW/Rr
N6MCWEnPC/442NAWtCRiZU1V19DyQS5FU5t/kHf027up8CqSiJ/X2G3VOyk1weMS
5ffPnlSx7SsQFpz8v//iVawe7IcIIJnUTW2h5dyvHL9yIZNyyDh8oOoX+n8DRrrY
ODevgXSPqkVNs8nhiN5rmbdoSOibr9CXNLV1/CkpYNsdBpBo5EJKwR0uYTyCEyIJ
XzzK24fNTrKaS0PCz5MSGnvYLxfIpqWYR1zAlf55sgSDy/aZVXKeYU1dFoHoKKM4
w5wlUSlPjfiNlvhYwiphvPxVFNhItSSVYmRMWXwiTNcfAFoiHkDHKo2qanINfUgw
piVKNvaDq1fhOxicNsAPUZpRJ4UhcYxVVV/tiXy+9EiiS3eI/p5YU5EK0z5BrM/s
0Pc3DRx/ZcVyzkcX5erS
=Qk/y
-----END PGP SIGNATURE-----